Defending DDoS (Distributed Denial-of-Service)

We’ve been dealing with some back-end issues recently. Something has been making our Bridge servers hang, which caused even simple requests to time out. This impacted everything from user registration to file retrievals. These time outs manifested as “404 — Bad Gateway??? errors from our API as the servers accepted connections, and then failed to do anything with them. We spent a lot of time and effort tracking down the root of the issue. Turns out one overlooked variable assignment caused it all.

When we first noticed the issue, we figured it was somehow load-related. So we added a few more Bridge servers, to spread the load a bit. Contrary to our expectations, scaling up the backend made the issues worse. Every additional node we added exacerbated the problem. And when we cut out every server but one, the problem almost went away. This is the point where we scratched our head and decided it must be architectural rather than load-related. As it turns out, we should have stuck with our initial hunch. It was load. We just didn’t understand the load.

This particularly nasty type of attack attempts to disrupt the availability of systems by overwhelming servers, saturating bandwidth or through other techniques. Your business is most likely heavily reliant upon specific incredibly, and this article provides an overview of the DDoS attack that could potentially take these critical systems down and techniques for combating the DDoS.

It is best to understand what the DoS and DDoS attacks are and how they work before discussing how to fight them. DoS (Denial of Service) attacks disrupt the availability of key information systems so that legitimate users cannot access these resources. The DDoS attack accomplishes the same thing by using a distributed set of computers or “bots??? or “zombies??? and it is incredibly powerful because it is using the power of thousands of computers and the bandwidth of many networks to perform the attack. Both the DoS and DDoS result in lost sales, lost customer confidence, reduced productivity or increased work for support staff. So how does the DDoS attack work?

Understanding the DDoS

DDoS attacks rely on the power of many distributed machines, so the first part of a DDoS attack is assembling an army of bots. Attackers scour the Internet using automated tools to search for vulnerable machines. These machines are then exploited and turned into bots by installing software on them that waits for commands from a command and control server. These bots are used to enslave other bots until a sufficient army is assembled for the attack.

The attacker is now ready to initiate an attack with their bot army. Attacks are initiated automatically or semi-automatically. Automatic attacks already have the target programmed into them by the attacker, so the attack takes place as soon as the bot army is assembled. This minimizes the interaction the attacker has with their bot army and makes it more difficult for them to be identified. In semi-automatic attacks, instructions are sent to the bot army by the attacker through command and control servers once the bot army is assembled.

Some DDoS attacks called protocol attacks target a particular protocol or vulnerability, and others use brute-force. Protocol attacks take advantage of a bug in the software or a feature of the communication to tie up resources of the target so that legitimate traffic cannot be serviced. Brute-force attacks bombard the system with otherwise seemingly legitimate transactions. Protocol attacks would seem like the more advanced method but they can be stopped by altering the system to remove the bug or changing the way the system operates so that the feature cannot be exploited. The brute-force attack is no different from legitimate traffic except for its increased volume, so it is more difficult to combat.

Cloud screening

—Cloud service providers have much higher capacity than individual companies. —Companies can pass traffic through a cloud service provider who can absorb DDoS traffic and only pass valid website requests on to the company’s site.

Infrastructure Improvements

— increasing bandwidth and server performance.

—attacks attempt to overwhelm available resources so additional resources will allow you to withstand greater attacks.

—having more server space or bandwidth than necessary.

—over-provisioning addresses the number one problem brought on by a DDoS attack, link, and equipment saturation.

—it can be difficult to determine how much extra hardware and bandwidth is necessary to sustain an attack as even some of the largest companies have succumbed to DDoS attacks.

—When attacks fail, attackers often gather a larger bot army and try again.

Traffic Filtering

—configuring your firewall or IDS (Intrusion Detection System) to filter DDoS traffic, if the functionality is available.

— analyze TCP flow control, conduct packet filtering and utilize blacklists and whitelists.

Real-Time Monitoring

—Real-time monitoring can identify a DDoS attack early.

—system must be actively monitored so that action can be taken quickly to resolve the situation.

—attacks can ramp up quickly so administrators might not have much time to respond once an alert comes in.

—should be noted that not all DDoS attacks happen immediately.

—They gradually increase the number of requests made to resources until the resources become unavailable.

Log Maintenance

Genuine users and DDoS attacks both log server events, and this can cause some services to reject connections if the log fills up. Log file growth rates and sizes could indicate an attack but to prevent a full log from making a system unavailable you can either increase log file sizes, archive logs or roll the logs over. If systems are set to refuse connections when the log is full, you should not implement log rollover because the refusal is a security mechanism meant to prevent unauthorized access. you should either use archiving or larger log files to keep servers available.